Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
12/05/2024, 17:47
Static task
static1
Behavioral task
behavioral1
Sample
3b567d9c4e2d5231909895b8f322c05b_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
3b567d9c4e2d5231909895b8f322c05b_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
3b567d9c4e2d5231909895b8f322c05b_JaffaCakes118.exe
-
Size
8.3MB
-
MD5
3b567d9c4e2d5231909895b8f322c05b
-
SHA1
79259bc14ca25da323c781b0cc5f1a667005199e
-
SHA256
0acb5e272dbc9821aa1ef668bc2f60489d25e5e50761e7dfefe02064cab5eb17
-
SHA512
44853f0184164aafc6ad5fd99026ee8745ad046bfe2d9dc329379b9852a9350985b504c8e2899d8e1acdb78c7c7755ad4d8289a31161205495344b229fb163c8
-
SSDEEP
49152:Up+fhpBIWwWdlpoSONbxVHkqKtp5CsyTnz58ZYMPSIi3w6UK4Xb1OFO4b2FhDTTY:UpJ/pKtp5ChzrgbMF1iPPrBWRd
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1744 MacromediaFlesh.exe -
Loads dropped DLL 64 IoCs
pid Process 1996 3b567d9c4e2d5231909895b8f322c05b_JaffaCakes118.exe 1996 3b567d9c4e2d5231909895b8f322c05b_JaffaCakes118.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe 1744 MacromediaFlesh.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\MacromediaFlesh = "C:\\Users\\Admin\\AppData\\Roaming\\MacromediaFlesh\\MacromediaFlesh.exe" MacromediaFlesh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1744 MacromediaFlesh.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1996 wrote to memory of 1744 1996 3b567d9c4e2d5231909895b8f322c05b_JaffaCakes118.exe 28 PID 1996 wrote to memory of 1744 1996 3b567d9c4e2d5231909895b8f322c05b_JaffaCakes118.exe 28 PID 1996 wrote to memory of 1744 1996 3b567d9c4e2d5231909895b8f322c05b_JaffaCakes118.exe 28 PID 1996 wrote to memory of 1744 1996 3b567d9c4e2d5231909895b8f322c05b_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b567d9c4e2d5231909895b8f322c05b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3b567d9c4e2d5231909895b8f322c05b_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Users\Admin\AppData\Roaming\MacromediaFlesh\MacromediaFlesh.exe"C:\Users\Admin\AppData\Roaming\MacromediaFlesh\MacromediaFlesh.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
PID:1744
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD556cc386c450151906018243234ac705e
SHA14594db6817a3f2f2c16c85dee56d63b7349d451d
SHA256722b1fc4ecb46f8b81ed9d1771877f9d56343d2075d932a07e756577dc9ac89f
SHA5128188adacc032185686f3935666f64d49d1d0b55ca3837bff1277da5fcc4b5bdcba50b0bdfa41f5ff11ba0a3dfebda735e567b1cada7608b4aed091cc806f4811
-
Filesize
8.3MB
MD53b567d9c4e2d5231909895b8f322c05b
SHA179259bc14ca25da323c781b0cc5f1a667005199e
SHA2560acb5e272dbc9821aa1ef668bc2f60489d25e5e50761e7dfefe02064cab5eb17
SHA51244853f0184164aafc6ad5fd99026ee8745ad046bfe2d9dc329379b9852a9350985b504c8e2899d8e1acdb78c7c7755ad4d8289a31161205495344b229fb163c8